Reply to Re: Is there a way to verify integrity of php/javascript code

Your name:

Reply:


Posted by Gordon Burditt on 10/08/80 11:27

>After long discussions here and through the help of the people in this
>board as well, here is what we are going to do. I hope this helps other
>people who would deploy a php based solution at user's desktops.
>
>1. We'll make the files read-only (execute-only wont work right?)

If you make it execute-only, PHP can't read it (the same issue
applies to shell scripts and other interpreted languages).

Ideally the files should be owned by a user *other* than the one
that Apache/PHP runs as, so a hole in Apache or PHP still won't
let them change the permissions on the files.

>2. We'll move all password related questions to a compiled code
>(C/C++). We'll make this non-browser based, so the user is not subject
>of a simple fishing attack.
>3. At the time when the password is asked (before or after), the
>compiled code will go over the php installation and check the md5 (or
>sha1) of all the php/javascript code.
>4. If there is no mismatch, the password is passed to php
>
>There is only one question we couldnt answer at this moment which is
>the following: what are the files for which we need to check.
>
>Is PHP monotonic? By that we mean does adding a file to a directory
>changes the behavior of php. If the compiled program checks only the
>files we created (php/javascript), is it possible to someone to insert
>a file in our directory to change the behavior of php? Is there a file
>that I can create that redirects php to a different directory?

PHP uses an include search path. If you add a file being searched
for to a directory earlier on the search path, you get that file
instead of the one you otherwise would have gotten. This might
cause problems.

The Apache config file can change the document root directory for
a site, and it can change some of the parameters for PHP. This
file also tends to get tinkered with a lot. Some systems I administer
generate it from a database every half an hour (provisioning code
that adds/removes virtualhosts), and it might really change a few
times a week.

php.ini is also critical. Under some circumstances, which may
vary with your Apache config file, a .htaccess file can change
PHP parameters, including whether .php files are interpreted
as PHP or something else.

Gordon L. Burditt

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация